ICSE 2026
Sun 12 - Sat 18 April 2026 Rio de Janeiro, Brazil
ICSE 2026 (series) / Research Track /

LLM-based Vulnerability Discovery through the Lens of Code Metrics

Felix Weissberg, Lukas Pirch, Erik Imgrund, Jonas Möller, Thorsten Eisenhofer, Konrad Rieck
ICSE 2026 Research Track
Fri 17 Apr 2026 12:15 - 12:30 at Oceania X - Dependability and Security 8 Chair(s): Xusheng Xiao

Large language models (LLMs) excel in many tasks of software engineering, yet progress in leveraging them for vulnerability discovery has stalled in recent years. To understand this phenomenon, we investigate LLMs through the lens of classic code metrics. Surprisingly, we find that a classifier trained solely on these metrics performs on par with state-of-the-art LLMs for vulnerability discovery. A root-cause analysis reveals a strong correlation and a causal effect between LLMs and code metrics: When the value of a metric is changed, LLM predictions tend to shift by a corresponding magnitude. This dependency suggests that LLMs operate at a similarly shallow level as code metrics, limiting their ability to grasp complex patterns and fully realize their potential in vulnerability discovery.

https://mlsec.org/docs/2026-icse.pdf
small-avatar
Felix Weissberg
BIFOLD & TU Berlin
Lukas Pirch
Lukas Pirch
BIFOLD & TU Berlin
Germany
small-avatar
Erik Imgrund
BIFOLD & TU Berlin
small-avatar
Jonas Möller
BIFOLD & TU Berlin
small-avatar
Thorsten Eisenhofer
BIFOLD & TU Berlin
small-avatar
Konrad Rieck
BIFOLD & TU Berlin

Fri 17 Apr

Displayed time zone: Brasilia, Distrito Federal, Brazil change

11:00 - 12:30
Dependability and Security 8Journal-first Papers / Demonstrations / Research Track at Oceania X
Chair(s): Xusheng Xiao Arizona State University
11:00
15m
Talk
DamFlow: Preventing a Flood of Irrelevant Data Flows in Android Apps
Journal-first Papers
Marco Alecci University of Luxembourg, Jordan Samhi University of Luxembourg, Luxembourg, Marc Miltenberger Fraunhofer SIT; ATHENE, Steven Arzt Fraunhofer SIT; ATHENE, Tegawendé F. Bissyandé University of Luxembourg, Jacques Klein University of Luxembourg
11:15
15m
Talk
LVing: A Vulnerability Detection and Visualization Platform for Rust
Demonstrations
Ernesto Diaz Texas A&M University-San Antonio, Mark Solis Texas A&M University-San Antonio, Young Lee Texas A & M University - San Antonio, Jeong Yang Texas A&M University-San Antonio, Deep Gandhi Independent Researcher
11:30
15m
Talk
StagedVulBERT: Multi-Granular Vulnerability Detection with a Novel Pre-trained Code Model
Journal-first Papers
Yuan Jiang Harbin Institute of Technology, Yujian Zhang Harbin Institute of Technology, Xiaohong Su Harbin Institute of Technology, Christoph Treude Singapore Management University, Tiantian Wang Harbin Institute of Technology
11:45
15m
Talk
Just-in-Time Detection of Silent Security Patches
Journal-first Papers
Xunzhu Tang University of Luxembourg, Kisub Kim DGIST, Saad Ezzini King Fahd University of Petroleum and Minerals, Yewei Song University of Luxembourg, Haoye Tian Aalto University, Jacques Klein University of Luxembourg, Tegawendé F. Bissyandé University of Luxembourg
12:00
15m
Talk
Rusted Types: Static Detection of Rust Type Confusion BugsVirtual Attendance
Research Track
Zeyang Zhuang The Chinese University of Hong Kong, Wei Meng Chinese University of Hong Kong, Michael Lyu The Chinese University of Hong Kong
12:15
15m
Talk
LLM-based Vulnerability Discovery through the Lens of Code Metrics
Research Track
Felix Weissberg BIFOLD & TU Berlin, Lukas Pirch BIFOLD & TU Berlin, Erik Imgrund BIFOLD & TU Berlin, Jonas Möller BIFOLD & TU Berlin, Thorsten Eisenhofer BIFOLD & TU Berlin, Konrad Rieck BIFOLD & TU Berlin
Pre-print